KR20160019615A - Security apparatus based on whitelist and blacklist and method thereof - Google Patents

Security apparatus based on whitelist and blacklist and method thereof Download PDF

Info

Publication number
KR20160019615A
KR20160019615A KR1020140103871A KR20140103871A KR20160019615A KR 20160019615 A KR20160019615 A KR 20160019615A KR 1020140103871 A KR1020140103871 A KR 1020140103871A KR 20140103871 A KR20140103871 A KR 20140103871A KR 20160019615 A KR20160019615 A KR 20160019615A
Authority
KR
South Korea
Prior art keywords
executable file
whitelist
execution
list
file
Prior art date
Application number
KR1020140103871A
Other languages
Korean (ko)
Inventor
위은영
Original Assignee
노틸러스효성 주식회사
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 노틸러스효성 주식회사 filed Critical 노틸러스효성 주식회사
Priority to KR1020140103871A priority Critical patent/KR20160019615A/en
Publication of KR20160019615A publication Critical patent/KR20160019615A/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Abstract

According to the present invention, in a security method based on white list and black list on a terminal device or system requiring security, a list of executable files to be executed is stored in an executable file The executable file which is not registered in the whitelist is blocked and registered in a separate black list. Accordingly, even if the white list can not be used by controlling the execution of the execution file on the basis of the black list, it is possible to prevent the execution of the execution file It is possible to effectively block the execution of the program, thereby enabling more reliable security.

Description

TECHNICAL FIELD [0001] The present invention relates to a white list and a black list based security apparatus and method,

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a whitelist-based malware blocking method, and more particularly to a whitelist-based malicious program blocking method for controlling execution of an executable file on a terminal device or a system requiring security, ), Execution is inhibited for an executable file not registered in the whitelist, and the executable file is registered as a separate blacklist, and the use of the whitelist It is possible to prevent execution of the executable file which may be dangerous to the system with the terminal device even if the white list can not be used by controlling the execution of the execution file based on the black list, White list and blacklist based security that enable security To an apparatus and method.

In recent years, due to the development of wired / wireless communication technology and automation technology, unmanned systems such as automation devices and cash dispensers controlled by software are increasing. Such an unmanned system is connected to a network as needed, So that various operations can be controlled from a central server on the network without any need for a separate operator to manage them.

However, since the above unmanned system is not directly managed or monitored by an administrator, there may be a loophole in security, a security loophole occurs, and a malicious program such as a virus is executed, thereby causing malfunction of the software or operating system If it does occur, it can cause serious losses.

For example, an unmanned system such as a cash dispenser (ATM) is connected to a financial network to perform a variety of financial functions such as cash withdrawal, transfer of money, account book, etc. Data may be modified by viruses or malicious programs, The malfunction of the software or the operating system may be very large.

In general, a virus treatment program or the like is installed in an unmanned system, and a security operation is performed in a manner that the whole or a part of the file system of the system is checked periodically or according to a user's selection. However, In an unmanned system that can cause large or large loss even by performing a single malfunction without directly managing it, there is a problem in security management.

Conventionally, there has been proposed a method of performing security on a system by preventing an operation other than a process or operation privilege preset by an administrator based on a white list from being performed in the system at all, but such a white list-based security There is still a problem in security when the malicious program is executed at the moment when the whitelist temporarily operates normally due to system change or the like.

Korean Registered Patent No. 10-1169287 (registered on July 23, 2012)

Therefore, in the present invention, in the control of whether or not an executable file is executed on a terminal device or a system requiring security, it is determined whether or not to execute an executable file in which an execution attempt is detected based on a whitelist in which a list of executed executable files is registered The executable files that are not registered in the whitelist are blocked and registered as a separate black list, and the executable files that are attempted to be executed while the whitelist is not available are executed based on the black list A blacklist-based security apparatus and method for preventing execution of an executable file that may pose a system risk to the terminal apparatus and thereby enabling more reliable security even when the white list can not be used .

The present invention provides a security device based on white list and black list, which includes an executable file detection unit for detecting whether there is an executable file to be executed on a terminal device or a system requiring security, A black list generating unit for checking whether an executable file detected in the white list is a file existing in a whitelist and registering the executable file in a black list when the executable file is not a file existing in the whitelist; Or if the use of the white list is disabled, a new execution file detected by the detection unit after the point in time when the white list can not be used is checked for execution of the new execution file by referring to the black list And a security control unit.

The security control unit may check whether the executable file exists in the whitelist by referring to the whitelist if the whitelist is available, and if the executable file does not exist in the whitelist, execute the execution of the executable file .

If the white list is not available, the security control unit checks whether the new execution file exists in the black list, and blocks the execution if the execution file exists in the black list .

The white list is a list of executable files registered in advance to be executable on the terminal device or the system.

The blacklist is an executable file not registered in the whitelist, and is a list including executable files whose execution attempts are blocked after an execution attempt is detected on the terminal device or the system.

According to another aspect of the present invention, there is provided a security method based on a mixture of a white list and a blacklist, comprising: detecting whether an executable file is attempted to be executed on a terminal device or a system requiring security; Checking whether a whitelist is available to control the execution of the executable file; checking if the executable file is present in the whitelist if the whitelist is available; Executing the executable file if it exists, and blocking execution of the executable file if the executable file does not exist in the whitelist and registering the execution file in the blacklist.

Checking whether the executable file is present in the black list if the use of the whitelist is not possible as a result of the checking; and blocking execution of the executable file when the executable file exists in the black list Further comprising the steps of:

According to the present invention, in a security method based on white list and black list on a terminal device or system requiring security, a list of executable files to be executed is stored in an executable file The executable file which is not registered in the whitelist is blocked and registered in a separate black list. Accordingly, even if the white list can not be used by controlling the execution of the execution file on the basis of the black list, it is possible to prevent the execution of the execution file It is possible to effectively block the execution of the program, thereby enabling more reliable security.

1 is a detailed block diagram of an automatic teller machine in an unattended system to which a security device based on a whitelist and a blacklist is applied according to an embodiment of the present invention;
2 is a detailed block diagram of a security device according to an embodiment of the present invention.
3 is a conceptual diagram of black list generation according to an embodiment of the present invention,
4 is a flowchart illustrating an operation of performing security by using a combination of a white list and a black list function in a security device of an unattended system according to an exemplary embodiment of the present invention.

Hereinafter, the operation principle of the present invention will be described in detail with reference to the accompanying drawings. In the following description of the present invention, detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear. The following terms are defined in consideration of the functions of the present invention, and these may be changed according to the intention of the user, the operator, or the like. Therefore, the definition should be based on the contents throughout this specification.

1 is a detailed block diagram of an automatic teller machine in an unmanned system to which a security device based on a white list and a black list is applied according to an embodiment of the present invention. Herein, in the embodiment of the present invention, the security operation in the automatic teller machine of the unmanned system will be described as an example for convenience of explanation, but the same can be applied to other unattended systems employing the security apparatus of the present invention.

Hereinafter, the operation of each component of the ATM 110 will be described in more detail with reference to FIG.

First, the card reader unit 102 is mounted at a predetermined position on the front panel of the automatic teller machine 100 and reads the card information by reading the magnetic line attached to the card.

The input unit 104 is a key pad for selecting a function required by a cardholder or inputting necessary data, including a plurality of numeric keys and a function key, or a touch capable of selecting various functions through a touch A touch screen, and the like.

The data communication unit 110 is connected to the control unit 120 and receives various data from the control unit 120 and transmits the data to a designated path such as a management and operation server or a financial transaction system And transmits the data received through the communication network to the control unit 120. [ That is, the data communication unit 110 may exchange data between the cash settlement / withdrawal apparatus 100 and the management and operation server (not shown) or between the cash settlement / withdrawal apparatus 100 and the financial transaction system (not shown) It acts as an interfacing.

The printing unit 112 prints and prints a specification sheet (for example, a cash deposit / withdrawal specification sheet, etc.) confirming details of transactions through the cash deposit / withdrawal apparatus 100 under the control of the control unit 120. [

The cash deposit / withdrawal unit 114 counts the cash inputted under the control of the controller 120, stores the cash in the cash deposit box, applies the coefficient data to the controller 120, Cash is withdrawn from the cash register and counted out.

The display unit 115 displays a screen according to various operation states of the cash dispenser 100 under the control of the controller 120 and displays result data corresponding to the user's request inputted through the input unit 104. [

The control unit 120 controls the overall operation of the cash dispenser 100 according to an operation program stored in the memory unit 118. [ The card reader unit 102 and the input unit 104 are connected to each other and receive a key signal from the card reader unit 102 and the input unit 104 to perform a corresponding function related to the current value input and output device 100.

The security device 116 is a device that performs a security operation to protect an unmanned system such as a cash deposit / withdrawal machine from a malicious program.

The security device 116 stores a list of previously registered executable files that can be executed on an unattended system, for example, on a whitelist, and if there is an executable file to be executed on the unattended system, The presence or absence of the malicious program on the whitelist, and blocking the execution if it does not exist, thereby protecting the unmanned system from malicious programs.

In addition, according to the embodiment of the present invention, the security device 116 blocks execution of an executable file that is not registered in the whitelist and simultaneously registers the executable file as a separate blacklist, If the white list is not available, the execution of executable files which are dangerous to the system and the execution of the executable file may be prevented, .

FIG. 2 shows a detailed block configuration of a security apparatus according to an exemplary embodiment of the present invention, and may include an executable file detection unit 200, a black list generation unit 202, a security control unit 206, and the like.

Hereinafter, operation of each component of the security device will be described in detail with reference to FIG.

First, the execution file detection unit 200 detects whether there is an executable file to be executed on a terminal device or a system requiring security such as a cash deposit / withdrawal apparatus, and transmits information about an executable file to be executed to the black- And the security control unit 206 and the like.

The blacklist generation unit 202 checks whether the execution file detected by the execution file detection unit 200 is a file existing in the whitelist 208. If the execution file is not a file existing in the whitelist 208, (204).

At this time, the whitelist 208 may be a list of executable files registered in advance to be executable on the terminal device or the system. The blacklist 204 also includes a security control unit 206 that performs execution control based on the whitelist 208 after an execution attempt is detected on the terminal device or the system as an executable file not registered in the whitelist 208. [ And the execution file may be registered in the black list 204 by the black list generation unit 202. The black list generation unit 202 may be a list including executable files whose execution attempts are blocked by the black list generation unit 202. [ The black list 204 may include a plurality of executable files previously known as malicious programs in addition to the executable files registered and blocked by the security control unit 206 based on the white list 208 as described above.

The security control unit 206 controls whether to execute the executable file by referring to the whitelist 208 according to the embodiment of the present invention or the use of the whitelist 208 when the use of the whitelist 208 becomes impossible The black list 204 is referred to for a new executable file detected by the executable file detection unit 200 after the point in time when the executable file is not executable.

That is, when the white list 208 is available, for example, the security control unit 206 refers to the white list 208 and notifies the execution file detected by the execution file detection unit 200 to white List 208, and if not present in the whitelist 208, the execution of that executable file is blocked to protect the system.

At this time, the security control unit 206 notifies the black list 204 (see FIG. 3) through the black list generation unit 202 about the executable file that is checked to be not present in the whitelist 208 as described above, ). That is, for example, if the executable file VIRUS AAA that is not present in the whitelist 208 is blocked by the security control unit 206 based on the whitelist, the executable file of the VIRUS AAA is transferred to the blacklist generator 202, The user can be registered on the black list 204 via the Internet. The management and registration of the executable files blocked in execution on the basis of the whitelist are managed in the blacklist 204 in order to prevent the use of the whitelist 208 in the future.

On the other hand, if a system fetch or the like is performed by a terminal device that requires security or an administrator who manages the system, the white list may temporarily stop its operation. That is, for example, if the manager intends to install a program that is not registered in the whitelist for system patching, it is difficult to install the program when the whitelist operates, so the operation of the whitelist is temporarily stopped, After installing a new program for the newly installed program, the executable file of the newly installed program can be registered in the whitelist.

In such a case, the security control unit 206 can not use the white list temporarily, and a state in which the white list-based security operation can not be performed may occur.

Accordingly, in the present invention, when the white list 208 can not be used, the security control unit 206 attempts to execute the white list 208 after the white list 208 can not be used By checking the execution of the new execution file by referring to the black list 204, it is possible to compensate the security problem in the case where the white list is not used.

That is, for example, the security control unit 206 stores in the black list 204 a new executable file that is sensed as being attempted to be executed by the executable file detection unit 200 after the white list 208 can not be used And if the corresponding executable file exists in the black list 204, execution can be blocked to protect the system.

Accordingly, even if the execution of the execution file is attempted in a state in which the use of the white list is impossible according to the embodiment of the present invention, the white list can not be used by controlling execution based on the black list, Execution of dangerous executable files can be blocked and more reliable security can be realized.

FIG. 4 illustrates an operation control flow for performing security by using a combination of a white list and a black list function in a security device of an unattended system according to an embodiment of the present invention. Hereinafter, embodiments of the present invention will be described in detail with reference to FIGS. 1 to 3. FIG.

First, the security device 116 monitors whether there is an executable file that attempts to execute on a terminal device or a system requiring security such as a cash deposit / withdrawal device (S400).

If an executable file to be executed on a terminal device or a system requiring security is detected (S402), the security device 116 transmits a whitelist, which is a list of executables previously registered to be executable on the terminal device or the system, It is checked whether or not the use of the user interface 208 is possible (S404).

If it is determined that the white list 208 is available, the security device 116 refers to the whitelist 208 and compares the execution file to be executed with the execution file registered in the whitelist 208 (S406) .

At this time, if it is determined that the corresponding executable file exists in the whitelist 208 (S408), the security device 116 determines that the execution file is normal and controls the executable file to be executed (S410).

However, if it is determined that the executable file does not exist in the whitelist 208, the security device 116 blocks execution of the executable file, and checks that the execution file is not present in the whitelist 208 as described above, The blocked execution files are registered in the black list 204 (S412). At this time, registering and managing the execution file blocked in execution on the white list basis in the black list 204 is for preparing a situation in which the white list 208 can not be used in the future.

On the other hand, when the use of the whitelist 208 is disabled, the security device 116 refers to the blacklist 204 about the detected executable file after the point in time when the white list 208 can not be used, Is executed.

 That is, if the white list 208 can not be used (S404), the security control unit 116 compares the execution file to be executed with the execution file registered in the black list 204 (S414).

At this time, if it is determined that the corresponding executable file exists in the black list 204 as a result of the comparison, the security device 116 determines that the execution attempt is abnormal and controls execution of the executable file to be blocked (S418).

However, if it is checked that the executable file does not exist in the black list 204, the security device 116 controls the executable file to be executed.

As described above, according to the present invention, in a security method based on white list and black list on a terminal device or a system requiring security, an execution attempt is made based on a whitelist in which a list of executable files, And controls execution of the detected executable file. Execution of the executable file not registered in the whitelist is blocked and registered in a separate black list. Accordingly, even if the white list can not be used by controlling the execution of the execution file on the basis of the black list, it is possible to prevent the execution of the execution file It is possible to effectively block the execution of the program, thereby enabling more reliable security.

While the invention has been shown and described with reference to certain preferred embodiments thereof, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention. Accordingly, the scope of the invention should not be limited by the described embodiments but should be defined by the appended claims.

200: Execution file detection unit 202: Black list generation unit
204: black list 206: security control
208: White List

Claims (7)

An executable file detection unit that detects whether there is an executable file that tries to execute on a terminal device or system requiring security,
A black list generator for checking whether the executable file detected by the executable file detector is a file existing in a whitelist and registering the executable file in a black list if the executable file is not a file existing in the whitelist,
The control unit controls the execution of the executable file by referring to the white list, or when the use of the white list becomes impossible, the new executable file detected by the detection unit after the point in time when the use of the white list becomes unavailable, A security control unit for controlling the execution of the new executable file by referring to the list,
.
The method according to claim 1,
The security control unit includes:
Checking whether or not the executable file exists in the whitelist when the white list is available and blocking execution of the executable file when the executable file does not exist in the whitelist by referring to the whitelist; Device.
The method according to claim 1,
The security control unit includes:
If the use of the whitelist is not possible, checks whether the new executable file exists in the black list, and blocks the execution if the executable file exists in the black list.
The method according to claim 1,
The white-
And a list of executable files registered in advance so as to be executable on the terminal device or the system.
The method according to claim 1,
The blacklist includes:
And the executable file is an executable file not registered in the whitelist, the executable file being a list including executable files whose execution attempts are blocked after the execution attempts are detected on the terminal device or the system.
Detecting whether there is an executable file to be executed on a terminal device or a system requiring security,
Checking whether a white list for controlling execution of the executable file is available if the execution attempt is detected;
Checking whether the executable file is present in a whitelist if the whitelist is available;
Executing the executable file if the executable file is present in the whitelist;
Blocking the execution of the executable file and registering it in the black list if the executable file does not exist in the whitelist
≪ / RTI >
The method according to claim 6,
Checking whether the executable file exists in the black list if the use of the whitelist is impossible;
Blocking execution of the executable file if the executable file is present in the blacklist
Further comprising the steps of:
KR1020140103871A 2014-08-11 2014-08-11 Security apparatus based on whitelist and blacklist and method thereof KR20160019615A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020140103871A KR20160019615A (en) 2014-08-11 2014-08-11 Security apparatus based on whitelist and blacklist and method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020140103871A KR20160019615A (en) 2014-08-11 2014-08-11 Security apparatus based on whitelist and blacklist and method thereof

Publications (1)

Publication Number Publication Date
KR20160019615A true KR20160019615A (en) 2016-02-22

Family

ID=55445324

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020140103871A KR20160019615A (en) 2014-08-11 2014-08-11 Security apparatus based on whitelist and blacklist and method thereof

Country Status (1)

Country Link
KR (1) KR20160019615A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018056601A1 (en) * 2016-09-22 2018-03-29 주식회사 위드네트웍스 Device and method for blocking ransomware using contents file access control
WO2019212111A1 (en) * 2018-04-30 2019-11-07 에스엠테크놀러지(주) System and method for monitoring and controlling abnormal process, and recording medium for performing same method

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101169287B1 (en) 2010-12-13 2012-08-02 (주)휴빌론 Mobile security system and control method thereof

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101169287B1 (en) 2010-12-13 2012-08-02 (주)휴빌론 Mobile security system and control method thereof

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018056601A1 (en) * 2016-09-22 2018-03-29 주식회사 위드네트웍스 Device and method for blocking ransomware using contents file access control
KR20180032409A (en) * 2016-09-22 2018-03-30 주식회사 위드네트웍스 Apparatus and method for blocking ransome ware using access control to the contents file
WO2019212111A1 (en) * 2018-04-30 2019-11-07 에스엠테크놀러지(주) System and method for monitoring and controlling abnormal process, and recording medium for performing same method

Similar Documents

Publication Publication Date Title
US20230029376A1 (en) Methods for locating an antenna within an electronic device
CN105122260B (en) To the switching based on context of secure operating system environment
US8499346B2 (en) Secure authentication at a self-service terminal
US20200111101A1 (en) Fraud Detection in Self-Service Terminal
US8474698B1 (en) Banking system controlled responsive to data bearing records
EP3182325B1 (en) Input peripheral device security
CN105378773B (en) Alphanumeric keypad for fuel dispenser system architecture
US10891834B2 (en) Automatic transaction apparatus and control method thereof
US20160283420A1 (en) Transaction processing system, transaction processing method and transaction equipment
WO2013017925A1 (en) System and method for updating configuration data for sub-systems of an automated banking machine
CN102792308B (en) For method and the process of the personal identity number input in the consistance software stack in Automatic Teller Machine
US11144920B2 (en) Automatic transaction apparatus
KR20160019615A (en) Security apparatus based on whitelist and blacklist and method thereof
Ogata et al. An ATM security measure for smart card transactions to prevent unauthorized cash withdrawal
US20190325412A1 (en) Maintaining Secure Access to a Self-Service Terminal (SST)
JP2009230465A (en) Pos terminal device and pos system
KR20140011545A (en) Method for inputting data and apparatus thereof
US8511544B1 (en) Banking system controlled responsive to data bearing records
JP5624938B2 (en) Automatic transaction apparatus and automatic transaction system
KR20110134080A (en) A pinpad capable of self-detecting the illegal detachment and the method of maintaining the pinpad security using the same
EP2916226A2 (en) Self-service terminal (SST) device driver
CN1989530A (en) Cash dispensing automated banking machine diagostic system and method
JP6212672B2 (en) Automatic transaction apparatus monitoring system, monitoring apparatus, host apparatus, and monitoring method for automatic transaction apparatus monitoring system
Ogata et al. Secure ATM Device Design by Control Command Verification
RU2667577C1 (en) Device for transactions

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E902 Notification of reason for refusal
E601 Decision to refuse application